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1  Introduction 

This  document  has  been  written  in  support  of  a  research  project  to  publicly  demonstrate 
and  document  how  a  high  assurance  product  can  be  developed  and  distributed.  A  high 
assurance  product  is  one  for  which  its  users  have  a  high  level  of  confidence  that  its 
security  policies  will  be  enforced  continuously  and  correctly.  Such  products  are 
constructed  so  that  they  can  be  analyzed  for  these  characteristics.  Lifecycle  activities 
ensure  that  the  product  reflects  the  intent  to  ensure  that  the  product  is  trustworthy  and  that 
vigorous  efforts  have  been  made  to  ensure  the  absence  of  unspecified  functionality, 
whether  accidental  or  intentional. 

The  purpose  of  this  plan  is  to  provide  the  policy  necessary  to  ensure  the  physical 
protection  of  the  product  during  its  entire  life  cycle.  Product  integrity  is  the  primary 
concern,  though  confidentiality  is  not  disregarded. 

2  [Organization  Name  Here] 

This  section  describes  the  physical  security  of  the  organization  that  is  developing  the 
product. 

3  Policy 

This  section  provides  the  policy  statements  with  respect  to  physical  security  of  high 
assurance  product  development. 

1 .  The  physical  security  requirements  of  sponsoring  organizations  or  customers  shall 
be  complied  with. 

2.  The  development  servers  shall  be  physically  protected. 

The  servers  that  store  electronic  files  under  development  for  a  project  shall  be 
physically  and  logically  accessible  to  authorized  personnel  only.  (See  the 
Personnel  Security  Plan  [1]  for  information  about  authorized  users).  The  server 
shall  reside  in  the  physically  protected  office  of  an  authorized  developer,  or  a 
locked  room  with  controlled  access,  or  in  a  locked  rack  in  an  area  where 
unauthorized  users  have  access. 

3.  The  Configuration  Management  (CM)  network  shall  be  physically  protected  and 
isolated. 

The  network  of  systems  dedicated  to  CM  shall  not  be  networked  to  non-CM 
systems  in  any  way.  They  shall  only  be  physically  accessible  to  project  personnel, 
and  they  shall  only  have  user  accounts  for  the  CM  manager  and  CM  staff. 
Developers  shall  not  have  accounts  on  CM  systems. 

4.  The  development  network  shall  be  physically  or  logically  separated  from  any 
other  network. 
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The  network  that  supports  the  development  of  a  high  assurance  project  shall  not 
have  connectivity  to  other  networks. 

5.  Keys  and  combinations  shall  be  controlled. 

When  keys  are  used  to  control  physical  access,  key  control  policies  will  be 
established  and  followed.  When  combinations  are  used  to  control  physical  access, 
the  combinations  will  be  changed  no  less  than  quarterly,  or  whenever  someone 
who  knows  the  combination  separates  from  the  project,  whichever  comes  first. 
When  combinations  are  used  to  control  physical  access  to  cabinets,  the 
combinations  will  be  changed  whenever  someone  who  knows  the  combination 
separates  from  the  project. 

6.  Project  data  under  development  should  be  stored  on  the  development  servers. 

If  a  client  system  has  only  limited  physical  protection,  then  project  data  shall  not 
be  allowed  on  the  client  system.  Such  clients  shall  access  project  data  remotely  in 
such  a  way  that  the  data  remains  on  the  server  and  is  not  copied  to  the  client.  If  a 
client  system  has  physical  protection  such  that  only  authorized  personnel  have 
access  to  it,  then  project  data  can  be  temporarily  copied  to  the  client  system,  but 
changes  shall  be  copied  back  to  the  server  so  they  can  be  properly  backed  up. 

7.  A  backup  plan  shall  be  established  and  followed  for  both  the  development  servers 
and  the  CM  server.  (See  Appendix  A  for  the  backup  plan  for  the  development 
server). 

The  plan  must  prepare  for  the  following  kinds  of  disasters: 

a.  Human  error 

b.  Disk  error 

c.  Theft  of  servers 

d.  Physical  disasters 

8.  Backup  media  shall  be  physically  protected. 

The  backup  media  shall  be  protected  to  at  least  the  same  degree  as  the  systems 
they  refer  to. 

9.  Visitors 

Visitors  are  allowed  in  the  physical  presence  of  the  project  servers  when  escorted 
by  authorized  personnel. 

10.  Audits 
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Unscheduled  checks  of  the  physical  security  measures  will  be  made.  Examples  of 
auditable  items: 

a.  Verification  that  doors  and  cabinets  are  locked. 

b.  Verification  that  backups  are  being  performed  according  to  plan. 

c.  Verification  that  all  backup  media  is  accounted  for. 

d.  Verification  that  systems  on  the  development  network  cannot  access 
outside  networks,  and  that  outside  networks  cannot  access  the 
development  network. 

All  audits,  and  their  results,  are  to  be  documented.  Violations  of  policy  shall  be 
brought  to  the  attention  of  the  CCB  to  determine  the  appropriate  course  of  action. 

11.  The  configuration  of  the  following  systems  are  controlled  by  the  CCB: 

•  Development  clients 

•  Development  servers 

•  Configuration  management  clients 

•  Configuration  management  server 

•  Formal  verification  clients 

•  Formal  verification  server 

Any  installation  or  removal  of  software,  including  patches,  must  be  approved 
ahead  of  time.  Any  change  in  the  configuration  of  the  systems  must  be  approved 
ahead  of  time.  This  does  not  include  the  adding  and  removing  of  accounts,  which 
is  covered  in  the  Personnel  Security  Plan  [1]. 

It  is  recognized  that  issues  arise  that  require  a  system  administrator  to  debug 
project  hardware  and  software  to  determine  the  cause  of  a  problem.  Such 
debugging  may  require  the  ad-hoc  modification  of  settings,  un-installation  of 
CCB-approved  software,  etc.  In  such  cases,  the  system  administrator  is  granted 
approval  to  apply  reasonable  practices  to  identify  the  problem.  However,  careful 
notes  of  all  changes  shall  be  taken.  If  the  changes  that  fix  the  problem  would 
normally  require  CCB  approval,  then  the  Project  Manager  may  approve  them  in 
order  to  get  the  system  back  online,  but  the  change  must  be  submitted  to  the  CCB 
for  ratification. 

4  Responsibilities 

This  section  assigns  responsibility  for  meeting  the  requirements  of  this  document. 

1 .  Organizational  security  personnel. 

This  paragraph  shall  describe  the  expected  security  practices  and  procedures  of 
the  security  personnel  within  the  associated  organization. 


3 


NPS-CAG-1 4-006 


TCX:  Physical  Security  Plan 


2.  Change  Control  Board  (CCB) 

The  CCB  oversees  the  physical  security  of  the  development  and  CM  systems, 
including  the  oversight  of  physical  security  audits. 

3.  System  Administrators 

The  system  administrators  are  responsible  for  perfonning  the  backups  as  specified 
by  the  development  server  backup  plan,  and  to  properly  store  the  backup  media. 

The  system  administrators  are  responsible  for  properly  configuring  the  systems  on 
the  development  network  to  prevent  access  to  other  networks. 

4.  Lab  Manager 

An  assigned  manager  or  authorized  user  shall  be  responsible  for  changing  the 
combinations  and  managing  the  physical  keys  as  required. 

5.  Authorized  Personnel 

All  personnel  associated  with  the  a  high  assurance  project  have  a  responsibility  to 
be  familiar  with  the  physical  security  policies  defined  herein,  to  comply  with 
them,  and  to  report  any  violations  in  a  timely  fashion. 

References 

P.C.  Clark,  C.  E.  Irvine,  T.  Levin,  and  T.  D.  Nguyen,  “Trusted  Computing 
Exemplar:  Personnel  security  plan,”  Naval  Postgraduate  School,  Monterey,  CA, 
Tech.  Rep.  NPS-CAG- 14-005,  Dec.  2014. 
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Appendix  A  -  Development  Server  Backup  Plan 

This  appendix  lays  out  the  minimal  requirements  for  the  preservation  of  project  data  on 
the  development  server. 

1.  Backup  Frequency 

Once  per  week:  Full  manual  backup  of  project  data  to  removable  media  that  is 
stored  away  from  the  servers. 

Every  workday:  Full  automated  backup  of  project  data  to  an  external  device  that 
is  not  removed  from  the  servers. 

Other:  An  image  backup  of  the  servers  shall  be  made  after  initial  setup  and  after 
configuration  changes  are  made. 

2.  Verification 

If  the  backup  software  provides  the  functionality,  backups  shall  be  verified. 
Verification  shall  be  performed  before  a  log  entry  is  made  (see  below). 

3.  Rotation  of  Media 

The  weekly  backup  shall  be  kept  for  four  weeks  before  it  is  put  back  into  the 
rotation. 

The  last  weekly  backup  of  the  month  shall  be  removed  from  the  rotation  for 
twelve  months  before  it  is  put  back  into  the  rotation. 

The  last  weekly  backup  of  the  year  shall  be  archived  for  permanent  storage. 

4.  Off-Site  Storage 

The  last  weekly  backup  of  the  month,  and  the  last  weekly  backup  of  the  year  shall 
be  stored  off-site. 

5.  Reliability 

CDs  shall  not  be  used  for  backup  media,  due  to  reliability  problems. 

6.  Documentation  Requirements 

Procedures:  The  person  performing  the  backups  shall  follow  written  established 
procedures. 

Media:  The  backup  media  shall  be  marked  with  the  date  of  the  backup,  the  name 
of  the  system  it  was  used  on,  and  the  type  of  backup  (weekly,  monthly,  yearly). 
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Log:  A  notation  shall  be  made  in  a  log  indicating  that  the  backup  has  been 
performed,  including  the  date  and  time,  and  whether  the  backup  has  been  verified. 
Any  errors  or  abnonnal  performance  shall  also  be  noted  in  the  log. 
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